[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today

Zhiyi Zhang zhiyi at cs.ucla.edu
Sun Jan 31 10:10:55 PST 2021 

The issue has been resolved. We now need to get a new certificate from
Prof. John Dehart. Once I get it, I will restart the deployment with new
code and new cert.

Best,
Zhiyi

On Fri, Jan 29, 2021 at 8:40 PM Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:

> Hi Zhiyi
>
> It's been a week. I saw some commits related to these items. Have you
> updated the deployment?
>
> Yours, Junxiao
>
> On Sat, Jan 23, 2021, 04:17 Junxiao Shi <shijunxiao at email.arizona.edu>
> wrote:
>
>> Hi Zhiyi
>>
>> I can confirm that the routes for /ndn/CA are correct now.
>> If you delete packets from repo-ng's database, you do have to restart the
>> service. repo-ng can pick up changes and unregister the prefix only if you
>> delete Data through its API.
>>
>> However, it seems that the CA certificate has expired:
>> $ NDNTS_UPLINK=tcp://192.168.5.10 ndncat get-segmented /ndn/CA/INFO |
>> ndn-dissect | awk '$1>=253 && $1<=255'
>>       253 (RESERVED_3) (size: 38)
>>         254 (RESERVED_3) (size: 15) [[20171220T001939]]
>>         255 (RESERVED_3) (size: 15) [[20201231T235959]]
>> You'll need to use an unexpired CA certificate for certificate request to
>> succeed, according to section "2.3.3 ValidityPeriod" requirements.
>>
>> This did expose an NDNts bug that I'm still creating a request, with a
>> ValidityPeriod that has NotBefore later than NotAfter, like this:
>> 0000   fd 00 fd 26 fd 00 fe 0f 32 30 32 31 30 31 32 33   ...&....20210123
>> 0010   54 30 38 35 38 33 37 fd 00 ff 0f 32 30 32 30 31   T085837....20201
>> 0020   32 33 31 54 32 33 35 39 35 39                     231T235959
>> I'll get it fixed.
>>
>> Your CA implementation is also lacking necessary checks for CA
>> certificate validity period, according to section "2.3.3 ValidityPeriod"
>> requirements.
>>
>> https://github.com/Zhiyi-Zhang/ndncert/blob/d35bc5f78dae76cc3f56479336845cb1aeb6c9f3/src/ca-module.cpp#L270-L272
>> This must be checked during NEW command processing and possibly also
>> before issuing each certificate. It's insufficient to only check at CA
>> startup, because the CA certificate could become expired while the CA is
>> running.
>>
>> Yours, Junxiao
>>
>> On Fri, Jan 22, 2021 at 6:53 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>
>>> *External Email*
>>>
>>>
>>> On Fri, Jan 22, 2021 at 12:55 PM Junxiao Shi <
>>> shijunxiao at email.arizona.edu> wrote:
>>>
>>>> Hi Zhiyi
>>>>
>>>> There are still erroneous packets starting with /ndn/CA in the
>>>> /localhost/repo-ng repository.
>>>> To check that, go to https://suns.cs.ucla.edu/n/ , on "Routes" tab
>>>> select "/ndn/CA" prefix. It should show only one nexthop pointing to the CA
>>>> program.
>>>> Currently it's showing two nexthops: a repo-ng instance and the CA
>>>> program.
>>>>
>>>> Please delete the erroneous packets.
>>>> If you are sure no erroneous packet exists, try restarting the repo-ng
>>>> service and see whether the prefix registration clears up.
>>>>
>>>
>>> I delete the packet from the SQLite database operation.
>>> I think I will need to restart it to reflect the change.
>>>
>>>
>>>> Another problem is, the CA program is not responding to certificate
>>>> retrieval Interests that carry the implicit digest component.
>>>> This needs to be fixed in the CA program.
>>>>
>>>> https://github.com/Zhiyi-Zhang/ndncert/blob/aa60c96f609ba4a3c92344c77bbb63e6d7e116fa/tools/ndncert-ca-server.cpp#L152
>>>>
>>>
>>> Okay. I think I will need to use getFullName instead of getName()
>>>
>>> Best,
>>> Zhiyi
>>>
>>>>
>>>>
>>>> Yours, Junxiao
>>>>
>>>> On Fri, Jan 22, 2021 at 2:18 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>>>
>>>>> *External Email*
>>>>> Hi Junxiao and John,
>>>>>
>>>>> As discussed during the NFD call:
>>>>> * I just brought the NDNCERT back online without the dependencies on
>>>>> the repo.
>>>>> * Now the profile and published certs are kept by the NDNCERT CA tool.
>>>>> I replaced map with a fixed size queue to prevent the cache from going
>>>>> infinitely large.
>>>>> * I've deleted the profile data from the repo
>>>>>
>>>>> @John Then, there is no need to set up a new repo-ng.
>>>>> Thank you so much.
>>>>>
>>>>> Best,
>>>>> Zhiyi
>>>>>
>>>>> On Fri, Jan 22, 2021 at 10:01 AM Junxiao Shi <
>>>>> shijunxiao at email.arizona.edu> wrote:
>>>>>
>>>>>> Hi Zhiyi
>>>>>>
>>>>>> repo-ng at /localhost/repo-ng listens on TCP port 7376.
>>>>>>
>>>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng.conf.j2#L35
>>>>>> It has registration-subset=3.
>>>>>>
>>>>>> repo-ng at /localhost/repo-ng-2 listens on TCP port 7377.
>>>>>>
>>>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng-2.conf.j2#L32
>>>>>> It has registration-subset disabled.
>>>>>>
>>>>>> ndn-python-repo listens on TCP port 7378.
>>>>>>
>>>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/ndn-python-repo/templates/ndn-python-repo.conf.j2#L26
>>>>>>
>>>>>> As explained in
>>>>>> https://www.lists.cs.ucla.edu/pipermail/nfd-dev/2021-January/004238.html
>>>>>> , you need another instance of repo-ng with registration-subset=0 to
>>>>>> publish your CA profile and issued certificates.
>>>>>>
>>>>>> Yours, Junxiao
>>>>>>
>>>>>> On Fri, Jan 22, 2021 at 12:54 PM Zhiyi Zhang <zhiyi at cs.ucla.edu>
>>>>>> wrote:
>>>>>>
>>>>>>> *External Email*
>>>>>>> Hi John,
>>>>>>>
>>>>>>> Could you also let me know the port number of different running
>>>>>>> instances of repo? because NDNCERT is using TCP Bulk to insert packets to
>>>>>>> repo.
>>>>>>>
>>>>>>> Best,
>>>>>>> Zhiyi
>>>>>>>
>>>>>>> On Fri, Jan 22, 2021 at 8:34 AM Dehart, John <jdd at wustl.edu> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> Looks like there was no ‘Restart’  entry in the systemd file for
>>>>>>>> the python repo.
>>>>>>>> I’ve added that and we’ll see if it does better.
>>>>>>>>
>>>>>>>> John
>>>>>>>>
>>>>>>>>
>>>>>>>> On Jan 22, 2021, at 10:21 AM, Dehart, John via Nfd-dev <
>>>>>>>> nfd-dev at lists.cs.ucla.edu> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I’ll take a look at the repo issue. All testbed nodes should be
>>>>>>>> running both repo-ng and python repo.
>>>>>>>> Maybe its a systemd issue.
>>>>>>>>
>>>>>>>> John
>>>>>>>>
>>>>>>>> On Jan 20, 2021, at 9:38 PM, Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>>>>>>>
>>>>>>>> Yeah. I found the repo is not running on the Suns: ERROR: Cannot
>>>>>>>> publish certificate to repo-ng (Connection refused)
>>>>>>>>
>>>>>>>> @Lixia do you know who should I contact to deploy the repo? and
>>>>>>>> which repo should be used?
>>>>>>>>
>>>>>>>> I just bring back the NDNCERT without the parameter to publish to
>>>>>>>> the repo. After people figure out the repo deployment, I will update the
>>>>>>>> parameter used in NDNCERT service.
>>>>>>>>
>>>>>>>> Best,
>>>>>>>> Zhiyi
>>>>>>>>
>>>>>>>> On Wed, Jan 20, 2021 at 11:11 AM Junxiao Shi <
>>>>>>>> shijunxiao at email.arizona.edu> wrote:
>>>>>>>>
>>>>>>>>> Hi Zhiyi
>>>>>>>>>
>>>>>>>>> As you mentioned on the 2021-01-15 NFD call, you have updated the
>>>>>>>>> deployment to use 2019 Naming Convention.
>>>>>>>>> However, I'm now unable to retrieve the CA profile - the CA is not
>>>>>>>>> responding at all.
>>>>>>>>>
>>>>>>>>> $ ndnpeek -Pf /ndn/CA/INFO/32=metadata
>>>>>>>>> $ echo $?
>>>>>>>>> 3
>>>>>>>>>
>>>>>>>>> Wireshark and NFD counters indicate that the Interest has arrived
>>>>>>>>> on suns.cs.ucla.edu, but there's no response.
>>>>>>>>>
>>>>>>>>> Yours, Junxiao
>>>>>>>>>
>>>>>>>>
>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210131/d541c862/attachment.html>

More information about the Nfd-dev mailing list